cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Helper I
Helper I

Help me understand why (or how to make) RLS is secure in Embedding

We have a web application where external clients can access an Embedded Power BI Report.

 

Flow:

A Power BI app token is generated 
A Embedded token is generated using the Power BI app token using  {accessLevel: "View"} as payload.

The reports are generated using the embedded token.

 

These requests are exposed in our front end, so it's easy to inspect the webpage and pick up all tokens.

 

We currently filter using Javascript filter, so basically we pick up an ID (let's call it user_id) from the client and filter the report content using that (https://github.com/Microsoft/PowerBI-JavaScript/wiki/Filters). This means that it is fairly straightforward for a client to edit these filters and get access to data they should not have access to. 

 

So we're looking into using RLS based on this guide (RLS Guide Embedded) and generate a embed token using this payload:

"{"accessLevel": "View","identities": [ {"username": "user_id","roles": [ "EmbedUser"],"datasets": [ "some guid" ]}]}" 

 

Then we would have a role (EmbedUser) on the dataset and this role would have rule: [ClientDimension].[user_id] == userprincipalname()

 

Then the report generated using this embed token would contain only the data the customer can see.

 

But how come this is safe? What prevents a client from copying the generate embed token request and change the user_id to something else and generate a new embed token?

 

Is our issue that these requests should happen in the backend and that the Power BI app token never should be exposed? 

 

Bear with me, I am not the (or a) front end developer so maybe none of this makes sense or maybe the answer is obvious, I am just trying to understand how to make our web app secure.

 

 

Helpful resources

Announcements

August Community Highlights

Check out a full recap of the month!

August 2020 CYST Challenge

Check out the winners of the recent 'Can You Solve These?' community challenge!

Experience what’s next for Power BI

Join us for an in-depth look at the new Power BI features and capabilities at the free Microsoft Business Applications Launch Event.

Top Solution Authors
Top Kudoed Authors